Hi,
I am trying to solve a problem, where I am analyzing some http traffic using bro. To limit the bro log sizes, I want to capture only those http events which which have certain string patterns in their bodies. The string patterns will be unique for each host + uri pair. I am putting this info a file host, uri, regex in a file and loading it into bro using file input framework. I want to apply the regex on the http body if the host and uri matches. When I try to use to search the body using:
find_all(body, string_to_pattern(regex_string_from_file, T));
I get some very weird behavior. The code in the entire block after string_to_pattern statement is not executed (and I don’t get any error). This happens when I run it on command line against a pcap.
To understand the problem better, I tried reproduce the problem on try.bro.org. I get the following error when I use string_to_pattern in my script on the try.bro.org website. Would like to understand the reason behind this restriction? Also, Would like to know there any alternative solutions I can pursue to solve my problem? Any help is appreciated. Thanks.
Dk.
1320279566.452687 error in ././trybro.bro, line 17: string_to_pattern can only be called at init time (string_to_pattern(Hello, World, T))